Sensor SW Version:
What is the Attack Count of this particular Event?
--Your lack of IP information is probably due to Alert Suppression.
Please find below:
NSM Version: 184.108.40.206
Sensor Model: M8000
Sensor SW Version: 220.127.116.11
Sigset Sensor/Manager:IPS Signature Sert Version: 18.104.22.168
What is the Attack Count of this particular Event? 50+
We usually get these alerts once a week
So the entry in the RTTA/HTA looks something like this...
Where Attack Count is 50+ and then there is no IP information.
I am almost certain this is due to the Alert Suppression settings that you are using. To figure out what those are for that particular sensor, you will need to go to Devices > Devices Tab > Select the appropriate Device from drop down > Advanced > Alerting Options...you should see Alert Suppression here. **Note** Disabling Alert suppression or making changes to it may increase the number of alerts you see in the RTTA/HTA as it will no longer combine alerts.
Sorry forgot to mention something.
I would strongly recommend upgrading to newer versions of both Manager Software, and Sensor Software support will not assist you if you are on such old versions of code.
Newest 8.1 Build for NSM and Sensor:
Thanks for your answer.
We will surely upgrade NSM.
Can you please communicate what actually triggered this alert?
1 of 1 people found this helpful
There is another signature name Kerberos Login Failure Detected, after a certain number of these are triggered the Brute Force detected is triggered. I am not sure what the exact number is as I am not in front of my manager.
2 of 2 people found this helpful
Hi Taya Um,
You can find out what the signature is by reviewing the alert details in the policy which triggered it. This gives you a description of the alert and what triggers it.
If the alert has multiple signatures you can find out which one matched each specific alert by looking at the alert details in the Threat Analyzer.